We had a sobering event last week. Our bank account was almost hacked and had the hackers been successful, we would no longer be in business. All this hard work of building a nice company over many years could have been wiped out in 60 seconds.

Fortunately this didn’t happen. But it was so close that I had a tough time sleeping for a few days. Thank goodness for the keen eye of our office manager, Patricia, who saved us from losing everything in our checkbook.

Here are the three things I learned:
1. The hackers are really sneaky and good at what they do.
2. If the money gets stolen then it’s gone. The bank can’t really help you.
3. You must have a strategy for your online business banking approach.

The first one is pretty obvious. We know these guys are good at what they do. They look at it as their job. In case you question this, please consider that we are not talking about dorm room geek stuff. These are highly trained computer programmers located in distant countries that know how to get in between your very keystrokes. Even good antivirus software can be nothing but an annoyance to them and far from a brick wall.

We had what was called a “man in the middle” attack. In this type of attack, the would-be thieves have the ability to see when we login in to our account. Now mind you, our account has three separate passwords including a random one from a key chain token that is newly generated with each new login session. These guys didn’t need to hack our passwords; instead they simply jumped in once we were logged in and then took control. They put up a screen asking for some additional information which was nothing but a shroud to cover the actual screens they were looking at. We found out later that they went straight to the online transfer area and were in the process of setting up a wire transfer. Fortunately Patricia started thinking the extra screen that had popped up didn’t feel right so she called the bank. They had Patricia unplug the computer right away which broke the connection that the hackers were using.

You see the real trick here is that the hackers were riding on our connection and using the bank account as if it were us. In fact, since they were using our connection, even the IP address looked like it came from us because it did! As such, any wire transfer that would have been made, would have looked legitimate. Legitimate enough that the bank couldn’t distinguish that it wasn’t us actually authorizing the transfer.
This gets to my second point; The banks can’t really do anything. If the robbers had wired the money out, then it was gone. Yes there is some process where you can go through “recovery” and get the law authorities involved, but that takes weeks if not months. Meanwhile you still have to pay your employees, rent, vendors etc. and if you have no cash then, as Porky Pig said, “That’s all folks”.
I read online about several small businesses that were wiped out in this manner.

So what do you do? How do you accomplish online business banking?

There are various ways to better protect yourself and you should look at all of them and determine what will work best for your needs. First, get excellent virus and firewall software. Don’t do the free stuff. Pay for a good one. Second, and this is what we have done, limit your online banking to one machine and do not use that machine for anything else. Don’t do email on it, Don’t surf the web. Don’t download web software. Just use it for looking at your accounts. And when you are done, turn it off. Third, have double approval processes for wire transfers where any transfer must be authenticated with a phone call from the bank. Fourth, talk to your bank about a service called “ACH Blocker” where they limit online payments and transfers to a list of approved parties. You can add and delete the contents of this list at anytime but the point is, no strange or unknown parties can get your money without additional approval from you.

This was a real wake up call. It took me several days to wrap my head around how close I was to losing everything. I hope that this article will stimulate you to look at your own practices and make some changes that can prevent something from happening to you.

Computer Security and Online Banking was last modified: November 1st, 2012 by Nick Mark